News about linux, computer, computer science, mathematics and white hot chocolate, the most beautiful drink in this world.

Friday, April 26, 2013

Analysis of a spam site

Last week, I received an e-mail from a contact of mine. Immediately, I knew something was wrong: the subject was her name between <> and the body was only a single line.

Before 12/2012, it was possible to find where an e-mail was sent using Hotmail: the header "X-Originating-IP" contained the IP of the machine used to send the e-mail through the web interface. Now, this is no longer possible, or at least not easily, as microsoft as decided to replace the "X-Originating-IP" by a "X-EIP", which contains something that seems to be a hash. If you have more information on this, let me know.

Warning: do not copy any of the following links in your browser unless you know exactly what you are doing! I have not tested any of them for possible malware. You have been warned!

The single line is actually a link (http://ruraltrauma.com/vvowfjp/xxotv685/ljr9c44/z087l8st/fwmfg). So, let's wget that bad boy.

Without a user-agent, wget doesn't hide its nature. In this case, this is welcomed by a 403 code (Unauthorized). Interesting. What about changing the user-agent to match a Windows 7 with IE9? The corresponding user-agent string is "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)". And yes, this changes the reply! The same test with a Windows XP/IE7 returns the same page.

The request to "ruraltrauma.com" returns a 302 (Moved) to "http://goodwaystoloseweightsolution.com/indexer.php?a=273446&c=wl_con", which also returns a 302 to "http://goodwaystoloseweightsolution.com/diet/GarciniaCambogiaDiet/".

There are two parameters in the middle URL: a and c. I played a bit and found the following:

The "a" parameter seems to be some form of counter, but isn't used to select a specific page: be it there or not, the same pages are returned;

Two pages are returned: 'GarciniaCambogiaDiet' and 'GreenCoffeDiet' in alternance;

The "c" paramter seems to select the campaign, but I was not able to find another set of sites. Yet.

Code analysis - first landing page

Let's dive into the first page.

There are a few javascripts present: one returns the date with the day of the week and the month name, the other one is the usual "you are about to pass on a once in a lifetime opportunity, do you want to reconsider?" type of message box, executed when the user leaves or closes the page.

Most of the body is the usual crap: "facts", "user comments", "leave us a comment" (which is just a decoy, there is no form or no script attached to it). Dr Oz is mentioned in the text

196 <h2>Conclusion</h2>
197 <p><a href="go.php" target="_blank"><strong>Pure Garcinia Cambogia</strong></a>
198 is made from HCA the finest 100% Garcinia Cambogia fruits on the
199 planet. We offer the highest potency Garcinia Cambogia extract available
200 which meets all of the criteria put forth by Dr. Oz. We are confident
201 that it will work for you, as it has for so many others.</p>

And there is another mention of the Doctor at the bottom of the page. There is also a video from Youtube with Dr. Oz explaining the benefits of the various products being advertised here.

418 <div id="footer">
419
420
421 <p>
422
423 *The Dr. Oz Show is a registered trademark of ZoCo 1, LLC, which is not
424 affiliated with and does not sponsor or endorse the products or services
425 of 100% Pure Garcinia Cambogia With Svetol ®. All Rights Reserved.</p>
426
427 <p>*Reference on our Web Sites to any publication or service of any
428 third party by me, domain name, trademark, trade identity, service mark,
429 trade identity, logo, manufacturer or otherwise does not constitute or
430 imply its endorsement or recommendation by Company, its parent,
431 subsidiaries and affiliates.</p>

Yeah, to be on the safe side: let's mention him, but not too much. If you were wondering, the "conclusion" is written using the "clear" class style, while the bottom message is using the "footer" class style. The CSS files show that the clear will be really visible, the footer not so much (It will be this color on a white background)

One of the things that is quite impressive is the number of mentions of go.php: no less than 25 references. This is the target of pretty much every link in the file.

There is another php file used in a iframe: imp.php.

imp.php

That file is included as an iframe of size 0x0. When requested, it gives a single line, an IMG tag, that requests http://traffictrackingsys.com/imp.ashx?CID=237591&AFID=&SID=, another script. Fuzzying the CID parameters, or even removing it, didn't change the GIF file returned, which is a 1x1 pixel.

Getting this file is really interesting due to the number of redirects found:

Connecting to goodwaystoloseweightsolution.com
To http://traffictrackingsys.com/click.ashx?CID=237591&AFID=266107&SID=empty
To http://www.clclckck.com/aff_c?offer_id=48&aff_id=4
To http://wehasoffers.go2cloud.org/aff_c?offer_id=48&aff_id=4
To http://processingordersonline.com/rd/r.php?sid=155&pub=410028&c1=
To http://authenticgarciniacambogia.net/intl/special/?click_id=782623411&c1=&c2=&c3=&AFID=410028&SID=

That is no less than 5 redirects! The presence of some with parameters may indicate that the same sites may discriminate between different campaigns. More on this later.

The page contains three javascript includes, one of which couldn't be found (js/11.js). It also contains a form to order the "good", with the POST going to https://www.drstation.com/index.php?main_page=two_step_form_processor. Interestingly, the connection is done through HTTPS.

Other random values returns one of the following: nothing, a redirect, 'Green Coffee', 'Green Coffee Beans' or 'Garcinia Cambogia'. Here is a visual representation of the path taken (redirect, POST or clicks)

There is a constant: the payment/ordering site usually posts to "www.drstation.com."Next: the different actors.